New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data
New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data
https://thehackernews.com/2026/03/new-perseus-android-banking-malware.html
Publish Date: 2026-03-19 08:43:00
Source Domain: thehackernews.com
Cybersecurity researchers have disclosed a new Android malware family called Perseus that’s being actively distributed in the wild with an aim to conduct device takeover (DTO) and financial fraud.
Perseus is built upon the foundations of Cerberus and Phoenix, at the same time evolving into a “more flexible and capable platform” for compromising Android devices through dropper apps distributed via phishing sites.
“Through Accessibility-based remote sessions, the malware enables real-time monitoring and precise interaction with infected devices, allowing full device takeover and targeting various regions, with a strong focus on Turkey and Italy,” ThreatFabric said in a report shared with The Hacker News.
“Beyond traditional credential theft, Perseus monitors user notes, indicating a focus on extracting high-value personal or financial information.”
Cerberus was first documented by the Dutch mobile security company in August 2019, highlighting the malware’s abuse of Android’s accessibility service to grant itself additional permissions, as well as steal sensitive data and credentials by serving fake overlay screens. Following the leak of its source code in 2020, multiple variants have emerged, including Alien, ERMAC, and Phoenix.
Some of the artifacts distributed by Perseus are listed below –
- Roja App Directa (com.xcvuc.ocnsxn) – Dropper
- TvTApp (com.tvtapps.live) – Perseus payload
- PolBox Tv (com.streamview.players) – Perseus payload
ThreatFabric’s analysis has uncovered that the malware expands on the Phoenix codebase, with the threat actors likely relying on a large language model (LLM) to assist with the development. This is based on indicators such as extensive in-app logging and the presence of emojis in the source code.
As with the recently disclosed Massiv Android malware, Perseus masquerades as IPTV services to target users who are looking to sideload such apps on their devices to watch…
![Gemini overlay rolls out Dynamic Color, integrates ‘Screen content’ [U]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2026/05/gemini-overlay-3.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1 "Gemini overlay rolls out Dynamic Color, integrates ‘Screen content’ [U]")